Swap_digger自动进行交换提取：Linux用户登录密码、网络登录密码、网络表单电子邮件、超文本传输协议基本身份验证、WIFI的SSID和密钥等进行交换提取和搜索。

wap_digger自动进行交换提取工具

swap_digger是一个bash脚本，用于自动化Linux交换分析，用于后期开发或取证目的。它自动为Linux用户凭证、网络表单凭证、网络表单电子邮件、超文本传输协议基本身份验证、SSID和密钥等进行交换提取和搜索。

下载并运行该工具

在你的机器上

使用以下命令在您的计算机上下载并运行脚本:

root@kali:~# git clone https://github.com/sevagas/swap_digger.git
正克隆到 ‘swap_digger’…
remote: Enumerating objects: 117, done.
remote: Total 117 (delta 0), reused 0 (delta 0), pack-reused 117
接收对象中: 100% (117/117), 342.53 KiB | 29.00 KiB/s, 完成.
处理 delta 中: 100% (54/54), 完成.
root@kali:~# cd swap_digger/
root@kali:~/swap_digger# chmod +x swap_digger.sh
root@kali:~/swap_digger# sudo ./swap_digger.sh -vx # # #以root运行此脚本

安装在硬盘上

要在已安装的硬盘上使用swap_digger，请执行以下操作:
首先，使用以下命令下载脚本:

alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.git
alice@1nvuln3r4bl3:~$ cd swap_digger
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh

然后，使用以下命令找到目标交换文件/分区:

alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -S

最后，通过运行以下命令来分析目标:

alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device

在第三方机器上

使用以下命令在第三方机器上下载并运行脚本(对pentests和CTF有用):

alice@1nvuln3r4bl3:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx

注意:使用-c选项自动删除swap_digger创建的目录(/tmp/swap_dig)

简单运行:

如果您只需要恢复明文的Linux用户密码，只需运行:

alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh

可用选项:可使用-h查看

./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least //etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).

寻找模式:

有些模式很容易找到。例如，如果您想搜索网络密码，您可以使用:

# strings <swap_device> | grep "&password="

如果您想搜索网络输入的电子邮件，您可以使用:

# strings <swap_device> | grep -i 'email=' | grep @ | uniq

存在明文密码与存储器中的散列密码

# strings <swap_device> | grep -C 50 <hashed_password> | grep <clear_text_password>

相关资料博文

参考：http://blog.sevagas.com/?Digging-passwords-in-Linux-swap